Solaris105/08TrustedExtensions … 24, 2009 · Solaris105/08TrustedExtensions SecurityReleaseNotes...

Solaris 10 5/08 Trusted ExtensionsSecurityReleaseNotesCommon Criteria Certification

Author:

Document Number: s10u5TX_400

Date: March 24, 2009

Version: 0.60

Abstract

This document provides security related release notes for a Common Criteria certifiedsystem, and in particular discusses the physical and procedural countermeasures thatare required in order to ensure that Solaris 10 5/08 Trusted Extensions is operated in asecure manner. It is intended to complement the existing user and administrationdocumentation.

2008 Sun Microsystems, Inc. 4150 Network Circle, Santa Clara, California 95054 U.S.A.

Sun Microsystems, Inc. has intellectual property rights relating to technology embodied in the product that is described in this document. Inparticular, and without limitation, these intellectual property rights may include one or more U.S. patents or pending patent applications in theU.S. and in other countries.

U.S. Government Rights - Commercial software. Government users are subject to the Sun Microsystems, Inc. standard license agreementand applicable provisions of the FAR and its supplements.

This distribution may include materials developed by third parties.

Parts of the product may be derived from Berkeley BSD systems, licensed from the University of California. UNIX is a registered trademarkin the U.S. and other countries, exclusively licensed through X/Open Company, Ltd.

Sun, Sun Microsystems, the Sun logo, the Solaris logo, the Java Coffee Cup logo, docs.sun.com, Solaris Management Console, Sun Ray,StarOffice, Java, and Solaris are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries. All SPARCtrademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. in the U.S. and other countries.Products bearing SPARC trademarks are based upon an architecture developed by Sun Microsystems, Inc. PostScript is a trademark orregistered trademark of Adobe Systems, Incorporated, which may be registered in certain jurisdictions.

The OPEN LOOK and SunTM Graphical User Interface was developed by Sun Microsystems, Inc. for its users and licensees. Sunacknowledges the pioneering efforts of Xerox in researching and developing the concept of visual or graphical user interfaces for the computerindustry. Sun holds a non-exclusive license from Xerox to the Xerox Graphical User Interface, which license also covers Sun’s licensees whoimplement OPEN LOOK GUIs and otherwise comply with Sun’s written license agreements.

Products covered by and information contained in this publication are controlled by U.S. Export Control laws and may be subject to the exportor import laws in other countries. Nuclear, missile, chemical or biological weapons or nuclear maritime end uses or end users, whether director indirect, are strictly prohibited. Export or reexport to countries subject to U.S. embargo or to entities identified on U.S. export exclusionlists, including, but not limited to, the denied persons and specially designated nationals lists is strictly prohibited.

DOCUMENTATION IS PROVIDED ‘AS IS’ AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS ANDWARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSEOR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BELEGALLY INVALID.

Sun Microsystems, Inc. détient les droits de propriété intellectuelle relatifs à la technologie incorporée dans le produit qui est décrit dans cedocument. En particulier, et ce sans limitation, ces droits de propriété intellectuelle peuvent inclure un ou plusieurs brevets américains ou desapplications de brevet en attente aux Etats-Unis et dans d’autres pays.

Cette distribution peut comprendre des composants développés par des tierces personnes.

Certaines composants de ce produit peuvent être dérivées du logiciel Berkeley BSD, licenciés par l’Université de Californie. UNIX est unemarque déposée aux Etats-Unis et dans d’autres pays; elle est licenciée exclusivement par X/Open Company, Ltd.

Sun, Sun Microsystems, le logo Sun, le logo Solaris, le logo Java Coffee Cup, docs.sun.com, Solaris Management Console, Sun Ray,StarOffice, Java et Solaris sont des marques de fabrique ou des marques déposées de Sun Microsystems, Inc. aux Etats-Unis et dans d’autrespays. Toutes les marques SPARC sont utilisées sous licence et sont des marques de fabrique ou des marques déposées de SPARC International,

PleaseRecycle

Inc. aux Etats-Unis et dans d’autres pays. Les produits portant les marques SPARC sont basés sur une architecture développée par SunMicrosystems, Inc. PostScript est une marque de fabrique d’Adobe Systems, Incorporated, laquelle pourrait é‘tre déposée dans certainesjuridictions. in the United States and other countries.

L’interface d’utilisation graphique OPEN LOOK et Sun a été développée par Sun Microsystems, Inc. pour ses utilisateurs et licenciés. Sunreconnaît les efforts de pionniers de Xerox pour la recherche et le développement du concept des interfaces d’utilisation visuelle ou graphiquepour l’industrie de l’informatique. Sun détient une licence non exclusive de Xerox sur l’interface d’utilisation graphique Xerox, cette licencecouvrant également les licenciés de Sun qui mettent en place l’interface d’utilisation graphique OPEN LOOK et qui, en outre, se conformentaux licences écrites de Sun.

Les produits qui font l’objet de cette publication et les informations qu’il contient sont régis par la legislation américaine en matière decontrôle des exportations et peuvent être soumis au droit d’autres pays dans le domaine des exportations et importations. Les utilisationsfinales, ou utilisateurs finaux, pour des armes nucléaires, des missiles, des armes chimiques ou biologiques ou pour le nucléaire maritime,directement ou indirectement, sont strictement interdites. Les exportations ou réexportations vers des pays sous embargo des Etats-Unis, ouvers des entités figurant sur les listes d’exclusion d’exportation américaines, y compris, mais de manière non exclusive, la liste de personnesqui font objet d’un ordre de ne pas participer, d’une façon directe ou indirecte, aux exportations des produits ou des services qui sont régis parla legislation américaine en matière de contrôle des exportations et la liste de ressortissants spécifiquement designés, sont rigoureusementinterdites.

LA DOCUMENTATION EST FOURNIE "EN L’ETAT" ET TOUTES AUTRES CONDITIONS, DECLARATIONS ET GARANTIESEXPRESSES OU TACITES SONT FORMELLEMENT EXCLUES, DANS LA MESURE AUTORISEE PAR LA LOI APPLICABLE, YCOMPRIS NOTAMMENT TOUTE GARANTIE IMPLICITE RELATIVE A LA QUALITE MARCHANDE, A L’APTITUDE A UNEUTILISATION PARTICULIERE OU A L’ABSENCE DE CONTREFACON.

RevisionHistory

Version Date Author Comments

0.60 March 2009 Vanessa Kong First issue for Solaris 10 5/08 Trusted Extensions Common CriteriaEvaluation.

v

vi Solaris 10 5/08 Trusted Extensions Security Release Notes Common Criteria Certification 3/24/09

Contents

1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

1.1 Purpose. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

1.2 Structure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

1.3 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

1.4 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

2 User Security Notes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

2.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

2.2 Logging in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

2.3 Passwords. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

2.4 Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2.5 Protecting Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2.6 Mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

2.7 Allocating Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

2.8 Removable Media. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

2.9 Serial Login Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

3 Administrator Security Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

3.1 Purpose. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

3.2 Physical Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

3.3 Secure Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

3.3.1 Installation Media Verification . . . . . . . . . . . . . . . . . . 8

3.3.2 Installing Solaris 10 5/08 . . . . . . . . . . . . . . . . . . . . . . 8

3.3.2.1 SPARC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

vii

3.3.2.2 x64 / x86. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

3.3.3 Installing the Solaris 10 5/08 Trusted Extensions CommonCriteria Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

3.3.4 Installing Solaris 10 5/08 Common Criteria Patch Set 10

3.3.5 Installing Solaris 10 5/08 Trusted Extensions . . . . . . . 10

3.3.6 Installing Solaris 10 5/08 Trusted Extensions CommonCriteria Patch Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

3.4 Secure Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

3.4.1 Setting root Password . . . . . . . . . . . . . . . . . . . . . . . . . 11

3.4.2 Setting Hardware Passwords. . . . . . . . . . . . . . . . . . . . 11

3.4.2.1 Setting PROM Password - SPARC . . . . . . . . . . . . 11

3.4.2.2 Setting BIOS Password - x64 / x86 . . . . . . . . . . . 12

3.4.3 Setting umask . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

3.4.4 Boot Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

3.4.4.1 SPARC Configuration. . . . . . . . . . . . . . . . . . . . . . 12

3.4.4.2 x64 / x86 Configuration . . . . . . . . . . . . . . . . . . . . 12

3.4.5 32- and 64-bit Modes . . . . . . . . . . . . . . . . . . . . . . . . . 12

3.4.6 Device Allocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

3.4.7 Password Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

3.4.8 Disable xhost Command . . . . . . . . . . . . . . . . . . . . . . . 13

3.4.9 Configuration File for Name Service - nsswitch.conf . 13

3.4.10 Configuration of Files and Tables . . . . . . . . . . . . . . . . 14

3.4.11 Default User and Group IDs . . . . . . . . . . . . . . . . . . . . 14

3.4.12 Solaris Management Console (SMC) . . . . . . . . . . . . . 15

3.4.13 NFS-Mounted Audit Directories. . . . . . . . . . . . . . . . . 15

3.4.14 Hardware-Specific Configuration Tasks . . . . . . . . . . . 15

3.4.14.1 SunFire System Controller Cards . . . . . . . . . . . . . 15

3.4.15 Abstract Machine Tests. . . . . . . . . . . . . . . . . . . . . . . . 15

3.4.16 Disable Dtsession Unlock With root Password . . . . . . 16

3.4.17 Buffer Overflow in nawk(1) . . . . . . . . . . . . . . . . . . . . 16

3.4.18 Buffer Overflow in rcp(1)Command Line Argument . 16

3.4.19 IPv6 Re-Numbering . . . . . . . . . . . . . . . . . . . . . . . . . . 16

viii Solaris 10 5/08 Trusted Extensions Security Release Notes Common Criteria Certification 3/24/09

3.4.20 Simultaneous Multi-Threading Processors May LeakInformation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

3.5 Secure Startup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

3.5.1 Secure Start-up - SPARC Workstations . . . . . . . . . . . 19

3.5.2 Secure Start-up - SPARC Servers . . . . . . . . . . . . . . . 20

3.5.3 Secure Start-up - x64 / x86 Platforms . . . . . . . . . . . . 20

3.5.4 Operational Modes . . . . . . . . . . . . . . . . . . . . . . . . . . 20

3.5.4.1 Multi-user Mode . . . . . . . . . . . . . . . . . . . . . . . . . 20

3.5.4.2 Single-user Mode . . . . . . . . . . . . . . . . . . . . . . . . 20

3.5.5 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

3.5.6 Administrative Components . . . . . . . . . . . . . . . . . . . 21

3.5.7 auditd Is Started After logind . . . . . . . . . . . . . . . . . . 21

3.6 Secure Operation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

3.6.1 Setting Up An LDAP Server . . . . . . . . . . . . . . . . . . . 22

3.6.2 The root Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

3.6.3 Users and Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

3.6.3.1 Creating Local Groups . . . . . . . . . . . . . . . . . . . . 23

3.6.3.2 Deleting Local Groups . . . . . . . . . . . . . . . . . . . . 23

3.6.3.3 Creating Local Users . . . . . . . . . . . . . . . . . . . . . . 23

3.6.3.4 Suspending Local Users . . . . . . . . . . . . . . . . . . . 23

3.6.3.5 Deleting Local Users . . . . . . . . . . . . . . . . . . . . . . 24

3.6.3.6 Creating a Network User . . . . . . . . . . . . . . . . . . . 24

3.6.3.7 Suspending a Network User . . . . . . . . . . . . . . . . 24

3.6.3.8 Deleting Network Users . . . . . . . . . . . . . . . . . . . 25

3.6.3.9 Further Information on Local and Network Users 25

3.6.4 Sharing Filesystems . . . . . . . . . . . . . . . . . . . . . . . . . . 25

3.6.5 Discretionary Access Control . . . . . . . . . . . . . . . . . . 26

3.6.6 Accounting and Audit . . . . . . . . . . . . . . . . . . . . . . . . 26

3.6.7 Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

3.6.8 Trusted Clients. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

3.6.9 Unauthorised Software . . . . . . . . . . . . . . . . . . . . . . . 30

Contents ix

3.6.10 Checking the Configuration . . . . . . . . . . . . . . . . . . . . 30

3.6.11 Mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

3.6.12 Secure Operating Procedures . . . . . . . . . . . . . . . . . . . 30

3.6.13 Administration Documentation. . . . . . . . . . . . . . . . . . 30

3.6.14 login -f Option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

3.6.15 Entry Into Debugger Mode . . . . . . . . . . . . . . . . . . . . . 31

3.6.16 Truncated Password . . . . . . . . . . . . . . . . . . . . . . . . . . 31

3.6.17 /bin/login is setuid . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

3.6.18 mail(1), mailx(1) is setgid. . . . . . . . . . . . . . . . . . . . . . 32

3.6.19 /usr/ucb/ps -e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

3.6.20 /usr/bin/eject . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

3.6.21 dtterm(1) Window Title . . . . . . . . . . . . . . . . . . . . . . . 32

3.6.22 libXpm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

3.6.23 RBAC exec_attr(4) Search in LDAP. . . . . . . . . . . . . . 33

3.6.24 format(1M) Shell Escape in RBAC. . . . . . . . . . . . . . . 33

3.6.25 Audit Records Longer Than 65K May be Lost . . . . . . 33

3.6.26 Warning Regarding TRACE Option in SMC . . . . . . . 34

3.6.27 GIMP Online . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

3.6.28 /usr/bin/cancel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

3.6.29 snoop(1M) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

3.6.30 Assuming Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

x Solaris 10 5/08 Trusted Extensions Security Release Notes Common Criteria Certification 3/24/09

Introduction 1

1.1 Purpose

This document provides the security release notes for a Solaris 10 5/08 TrustedExtensions Common Criteria certified system. Within this document are instructions toboth users and administrators regarding procedural measures that are required tocomplement the security functionality of Solaris 10 5/08 Trusted Extensions. Thesemeasures are mandatory if the product is to be operated in a secure manner.

This document is to be read in conjunction with the user and administrativedocumentation listed within Section 1.4, “References”.

1.2 Structure

This chapter provides an introduction.

Chapter 2 provides instructions to normal users.

Chapter 3 provides instructions to system administrators.

1.3 Terminology

The terminology used in this document is consistent with Solaris 10 5/08 TrustedExtensions documentation. This document is intended for an audience familiar withSolaris 10 5/08 Trusted Extensions, hence a glossary is not included.

1.4 References

Unless otherwise attributed, the documents referenced here are sourced from SunMicrosystems and associated companies (such as Sun Microsystems Federal Inc.)

[ADMCOMS] Solaris System Administration Commands; Sun Microsystems,Inc.; 816-5166-10; 2005

[ADMGUIDE] Solaris System Administration Collection; Sun Microsystems,Inc.; 2005

Advanced Administration819-2380-03Basic Administration

1

1

819-2379-03Devices and File Systems817-5093-12IP Services816-4554-11Naming and Directory Services (DNS, NIS, and LDAP)816-4556-10Network Services816-4555-11Security Services816-4557-11

[BSM] Solaris System Administration Guide - Security Services(formerly known as ‘SunSHIELD Basic Security ModuleGuide’); Sun Microsystems, Inc.; 2005; 816-4557-11

[CC] Common Criteria for Information Technology SecurityEvaluation, CCIMB-2004-01-002, Version 2.2, January 2004

[FILEFORM] Solaris File Formats; Sun Microsystems, Inc.; 2003; 817-3945-10

[FSA] Solaris Administration Guide - Devices and File Systems; SunMicrosystems, Inc.; 2005; 817-5093-12

[HD] Solaris 10 11/06 Trusted Extensions High Level Design, Chapter2, Sun Microsystems, s10_102

[NSAG] System Administration Guide: Naming and Directory Services(DNS, NIS, and LDAP); Sun Microsystems, Inc.; 2005; 816-4556-10

[OPENBOOT] OpenBoot 4.x Command Reference Manual; February 2002,Revision A, Sun Microsystems, Inc.; 816-1177-10

[SBCG] Binary Compatibility Guide; 2000, Sun Microsystems, Inc.; 806-1047-10

[SINST] Solaris 10 Installation Guide; Sun Microsystems, Inc.; 2005;817-0544-10

[SPAA] Security, Performance and Accounting Administration, SunSoft;1994

[ST] Solaris 10 11/06 Trusted Extensions Security Target, SunMicrosystems, s10_101

[TXINST] Solaris Trusted Extensions Installation and Configuration; SunMicrosystems, Inc.; 2006; 819-7314-05

[UPMA] User Accounts, Printers, and Mail Administration; SunSoft, 1994

[USERCOMS] Solaris User Commands; Sun Microsystems, Inc.; 2005; 816-5165-10

2 Solaris 10 5/08 Trusted Extensions Security Release Notes Common Criteria Certification 3/24/09

UserSecurity Notes 2

2.1 Overview

This section provides security instructions for both users and administrators of Solaris10 5/08 Trusted Extensions. The information detailed in this document must be followedby all the users of the system to maintain security.

2.2 Logging in

When your account is created, the administrator must securely inform you of yourusername and the password for the account. It is important that you log in immediatelyand change the password for the account. For guidance on passwords see Section 2.3,“Passwords”.

During logon to the system a valid username must be entered at the login prompt anda valid password entered at the password prompt. After the username has been enteredand return pressed, you must wait until the password prompt appears on the screenbefore attempting to enter the password.

Warning – If you fail to wait, and the password is entered too quickly after theusername, some of the password characters will be echoed onto the screen, whichcould compromise the confidentiality your password.

When logging in, details of the last successful login to your account are displayed onthe screen. You should compare this with when you last logged in. If a discrepancy isnoticed the administrator should be informed.

You must log out of the system completely before the terminal or workstation that youare using can be left unattended. If logging in to a terminal that does not appear tohave completely logged out the previous user, you should ensure previous sessions areclosed or contact the administrator.

2.3 Passwords

In order to prevent others logging in to your account the following rules must beadhered to:

• You must not tell anyone else your password, encrypted or unencrypted.

• You must not write the password down.

3

2

• You must change your password regularly.

• You must change your password immediately if you suspect that someone else hasknowledge of it.

• If you experience a problem when attempting to change your password then contactthe system administrator.

• You must choose passwords that are not easy to guess. For guidance on this see[SPAA].

• You should ensure that you are not overlooked when entering your password.

2.4 Groups

The group of any of your files on the system can be a locally defined or networkdefined group. All types of users, local and network, can belong to local or networkgroups

2.5 Protecting Data

It is your responsibility to protect your data. The system will protect your files anddirectories based on the permissions you have set.

It is possible to protect your data from unauthorised access by other users of thesystem, by assigning access rights to your files and directories. See [USERCOMS]under chmod(1) for details of how Access Control works on the product.

The command ‘ls -l’ can be used to view the access rights on a file or directory. See[USERCOMS] under ls(1) and also the references above.

It may be necessary to restrict other users’ access to your files and directories to readonly. This can be done by setting the permissions to r-- for group, and r-- forothers. See the man page for the chmod(1) command for further details.

Warning – If you give another user read access to one of your files then it should beunderstood that this gives that user the ability to take a copy of your file. This copy isunder the control of the other user and you have no control over what happens to it. Inparticular that user is able modify the protection of the copy, which could be modifiedto allow all users access.

It is possible to completely deny all other users (with the exception of theadministrator) access to your files and directories, by setting no permission for groupand others (i.e. --- for group and --- for others). See the man page for thechmod(1) command for further details.

It is only possible for the owner of a file or directory, or the administrator to change theaccess permissions on that file or directory.

You may wish to give access to your file(s) to just one user, apart from yourself, on thesystem. If so then contact the administrator who will create a new group such that onlyyou and the other user belong to that group. You can then assign the newly createdgroup to the file(s) for which only the other user can have the required access. Theother user gets the required access through the ‘group’ permission on the file(s).


2

When files and directories are created by a user, they are given a default protection.The system is set up in such a way that newly created files will have read access forGroup and Others, and newly created directories will have read and execute access forGroup and Others. This means that you will be the only user with write access to anyfile or directory you create. An entry can be made in your ‘.profile’ file if you areusing sh and ksh shells or in ‘.cshrc’ file if you are using csh shell to set thisdefault to whatever you wish. The entry should be of the form ‘umask <xxx>’where <xxx> are three OCTAL digits that refer to read/write/execute permissions forthe owner, group and other, respectively. Each octal digit when subtracted from ‘7’ willprovide the default file protection. See [USERCOMS] under umask(1) for moredetails.

You must ensure that the permissions on your files and directories are correct. Thepermissions can be ascertained by using the command ls -l - see [USERCOMS]under ls(1). Ensure that you understand what permissions are on all your files anddirectories.

Note – an owner will not be permitted access rights to his object, if Owner rightsdenies him access, even if Group access rights give him access. The owner is stillpermitted to change the OGO permissions.

Where a file system accessible to users is read-only, write access will not be granted toits constituent files, even if permitted by the OGO permissions. The user can enter themount command, [USERCOMS] under mount(1), to obtain a list of local and sharedmounted file systems.

Access Control Lists (ACLs) can provide greater control over file permissions, see[USERCOMS] under setfacl(1) and getfacl(1). When the setfacl(1)command is used, it may result in changes to the OGO permissions for that file. AnACL may also contain specific access modes for individually named users and groups,and default settings, which will override the normal permission bits (and by inferencethe user and group ACL entries) on the file.

2.6 Mail

It is possible to generate a mail message and make it appear that it comes from anotheruser, even root. Because of this if you receive a mail message requesting someaction, always verify that message before taking the requested action. In particularverify any message requesting action which purports to be from root with theadministrator.

Care should also be taken when using the mail system to send information to otherusers. This is because when mail messages are sent to another user the mail messagecontents are then owned by that user, and the information within the mail message canbe disseminated by that user.

The mail system should not be used to send information that is protected. In order togive other users access to your files use the Discretionary Access Controls that theproduct contains - see Section 2.5, “Protecting Data”.

If you receive mail from another user make sure that if the contents need protectingthen the access rights on the file containing the mail message are correct.

User Security Notes 5

2

2.7 Allocating Devices

It is possible to gain exclusive use of a tape, CD-ROM or floppy disk drive that isattached to a workstation the user is logged in at using the command allocate - see[ADMINCOMS] under allocate(1M). Once allocated you have sole use of thedevice until either you deallocate it, the administrator deallocates it or the permissionsare changed on the device. All users of the system must use this mechanism foraccessing the devices as it is the secure way of transferring data between the devicesand the disk.

By allocating a device other users can be prevented from accessing the contents of atape, CD-ROM or floppy disk you wish to place in the drive.

In order to make the tape, CD-ROM or floppy disk drive usable by another user thedevice must be either deallocated, see [ADMINCOMS] under deallocate(1M), orthe permissions must be changed on the device to allow other users access to it. SeeSection 2.5, “Protecting Data” for details concerning access rights.

If you deallocate a device the media must be removed from the device immediatelyafter deallocation, or its contents could be accessed by another user.

Normal users do not have physical access to bootable removable media drives onmachines. If you want to access such a device then you must consult the SystemAdministrator.

2.8 Removable Media

When exporting data from the system, users must only use clean removable media (i.e.tapes, floppy disks, or CD-roms which are brand new and have never previously beenused). This measure is to prevent the potential vulnerability of exporting informationwhich has been ‘deleted’ but not yet treated for reuse.

2.9 Serial Login Devices

If serial login devices are used e.g. VT100 terminals directly connected to aworkstation, users should ensure that the screen is cleared of all information afterlogging off, or when leaving the terminal unattended.


Administrator Security Notes 3

3.1 Purpose

This section is intended to provide information pertinent to administrators of theproduct in an operational environment. It is assumed that the System Administrator hasattended an administrators training course as approved or recommended by Sun and isfamiliar with the administration of Solaris 10 5/08 Trusted Extensions. Theinformation provided in this document must be followed in order that the system isadministered securely. The administrator should also read Chapter 2, “User SecurityNotes” before starting to administer the system. The information contained within thisdocument and the referenced documentation is sufficient to administer the system in asecure manner.

The section discusses the following topics:

• Secure Installation of the Product

• Secure Configuration of the Product

• Secure Start-up of the product

• Secure Operation of the product

3.2 Physical Security

The administrator must ensure that appropriate measures commensurate with thesecurity level of the facility are in place to protect the physical security of themachines. The methods used may include but are not limited to: card access controlsystems, burglar alarm systems, closed circuit television and door lock and keyservices.

3.3 Secure Installation

The administrator shall perform the tasks described in this chapter in order to performa secure installation of a Solaris 10 5/08 Trusted Extension Common Criteria certifiedsystem, and before it is made available for general use. The administrator must keep awritten record of when the operating system, patches and security enhanced featureswere installed.

7

3

Distribution media must be received in shrink-wrapped packages. If the packagesappear to have been tampered with, or the shrink wrapping is damaged then do notproceed with the installation, and contact your supplier.

3.3.1 Installation Media Verification

The following installation media are required. Note that the installation may be donevia CD in which case the installer will need the Solaris 10 5/08 Binary DVD Set andthe Solaris 10 3/05 Documentation CD. The version numbers should be verified inorder to ensure installation of the correct product.

Solaris 10 5/08 Binary DVD; Sparc Platform Edition:

• Solaris 10 5/08 Installation DVD, Part No. 708-0334-10, May 2008, Revision A

Solaris 10 5/08 Binary DVD; x64/x86 Platform Edition:

• Solaris 10 5/08 Installation DVD, Part No. 708-0335-10, May 2008, Revision A

Note – Because Solaris 10 5/08 is considered to be an update release, thedocumentation and other companion DVDs must be obtained from the previously fullycertified release: Solaris 10 3/05.

Solaris 10 3/05 Documentation DVD:

• Part No 708-0066-10, March 2005, Revision A

Solaris 10 5/08 Security Release Notes Document:• SRN_<SRN_revision_number>.pdf

Note – The Solaris 10 5/08 Trusted Extensions Security Release Notes can bedownloaded from the SUN security certification website. This can be found at:www.sun.com/security. Select ‘Security Certification’.

3.3.2 Installing Solaris 10 5/08

3.3.2.1 SPARC

The administrator must firstly ensure that the machine is shutdown and then commenceinstallation from the ‘ok’ prompt. The installation of the base operating system is anautomated process which can be started by inserting the Solaris 10 5/08 InstallationDVD, and typing boot cdrom. The administrator can then follow the on-screeninstructions to install Solaris 10 5/08 as required.

Note – If the machine has previously been in use, then the disk should be reformattedat this stage. From the openwindows screen, start a command tool and use the formatcommand. Installation will continue after this procedure.

The product should be installed by following the standard installation instructions. Thefinal step of installation is to install the patches (if required ) required for the certifiedconfiguration which are available from the sun.com web site.


3

3.3.2.2 x64 / x86

The administrator must firstly ensure that the workstation is shutdown and the Solaris10 5/08 Binary DVD; x86 Platform Edition DVD is appropriately inserted in the DVDdrive. By powering on the machine and following the on-screen prompts theadministrator can install the Solaris product.

Note – If the workstation has previously been in use, then the disk should bereformatted at this stage.

The installation of the base operating system is an automated process similar to that forthe SPARC version described above.

3.3.3 Installing the Solaris 10 5/08 Trusted Extensions Common Criteria Packages

The Solaris 10 5/08 Trusted Extensions Common Criteria Package consists of a tar file:

solaris10_cert_<sparc | x86>_508+TX.tar.Z

where <sparc|x86> refers to the hardware platform of the target machine

The tar file contains two directories:

• S10_508/ contains the patches to be applied to the system after Solaris 10 5/08has been installed.

• S10_508TX/ contains the patches to be applied to the system after Solaris 10 5/08Trusted Extensions has been installed.

Each directory contains:

• README_<sparc|x86>_<508 | 508TX> file contains a list of patches andrevision-specific installation instructions.

• patches_<sparc|x86>_<508 | 508TX> directory contains the Solaris 10Common Criteria patch set.

The contents may be extracted from the tar file into a directory called /tmp/patches bytyping:

# mkdir /tmp/sol10CC

# cd /tmp/sol10CC

# uncompress \

solaris10_cert_<sparc|x86>_508+TX.tar.Z

# tar xvf \

solaris10_cert_<sparc|x86>_508+TX.tar

An example of the directory structure for a sparc version of the Solaris 10 CommonCriteria 5/08 Trusted Extensions release is shown below:


3

3.3.4 Installing Solaris 10 5/08 Common Criteria Patch Set

Once Solaris 10 5/08 has been installed, the required patch set should be installed viathe patchadd(1M) command. All patches must be installed so that your system is inthe Solaris 10 5/08 Evaluated Configuration.

Each patch is contained in its own directory where the name of the containingdirectory is the patch_id_number. The patches can then be installed by typing:

# cd \

/tmp/sol10CC/S10_508/patches_<sparc|x86>_508

# patchadd <patch_id_number>

Refer to the README_<sparc|x86>_508 file for any revision-specific installationinstructions.

The system must be rebooted before progressing to the configuration steps.

Warning – In order to maintain a system in the evaluated configuration, only thosepatches which comprise the Solaris 10 5/08 Common Criteria patch set may be appliedto the system.

3.3.5 Installing Solaris 10 5/08 Trusted Extensions

The software for Trusted Extensions is located on the install DVD in the directory:ExtraValue/CoBundled/Trusted_Extensions. Run the GUI installer bytyping:

# java wizard

Follow the on-screen instructions and prompts.

For detailed information on how to install Solaris 10 5/08 Trusted Extensions, refer tothe document Solaris Trusted Extensions Installation and Configuration [TXINST].

S10_508 S10_508TX

README_sparc_508 README_sparc_508TXpatches_sparc_508 patches_sparc_508TX

solaris10_cert_sparc_508+TX


3

3.3.6 Installing Solaris 10 5/08 Trusted Extensions Common Criteria Patch Set

Once Solaris 10 5/08 Trusted Extensions has been installed, the required patch setshould be installed via the patchadd(1M) command. All patches must be installedso that your system is in the Solaris 10 5/08 Trusted Extensions EvaluatedConfiguration.

Each patch is contained in its own directory where the name of the containingdirectory is the patch_id_number. The patches can then be installed by typing:

# cd \

/tmp/sol10CC/S10_508/patches_<sparc|x86>_508TX

# patchadd <patch_id_number>

Refer to the README_<sparc|x86>_508TX file for any revision-specificinstallation instructions.

The system must be rebooted before progressing to the configuration steps.

Warning – In order to maintain a system in the evaluated configuration, only thosepatches which comprise the Solaris 10 5/08 Trusted Extensions Common Criteria patchset may be applied to the system.

3.4 Secure Configuration

The procedures detailed below must be performed by the administrator before the ToEbecomes operational in order to ensure that the system is secure. If followed correctlythe procedures detailed below do not require the administrator to make any choices. Sotherefore only one configuration of the ToE is possible for each installation. Theadministrator shall not alter the functionality of any commands or change the fileprotections on files not specified in this document. The procedures must be performedin the order that they are given below.

3.4.1 Setting root Password

A ‘root’ account is automatically created without a password during installation ofSolaris 10 5/08. The password for this account is set during the installation process.

3.4.2 Setting Hardware Passwords

3.4.2.1 Setting PROM Password - SPARC

The full security mode PROM password shall be set on all the machines in the networkconfiguration. The administrator shall set the PROM password by logging on as‘root’ and entering the following:

eeprom security-mode=full security-password=

Enter the PROM password and verify it. Further details on setting the PROM passwordcan be found in [ADMCOMS] under eeprom(1M).


3

3.4.2.2 Setting BIOS Password - x64 / x86

The BIOS password must be set using the BIOS utility. To enter the BIOS, theadministrator shall enter setup mode using the appropriate function key (i.e. F2, F9,etc.) as the system begins its startup.

In the BIOS menu, use the arrow keys to select the security option. Under this menu,select system password. Enter the password and save as instructed.

Note – Various versions of the BIOS may label their menu options differently, howeverthe functionality is the same.

3.4.3 Setting umask

The administrator shall set the file creation mode mask by inserting ‘umask=022’entry in the ‘/etc/default/login’ file.

3.4.4 Boot Device

3.4.4.1 SPARC Configuration

The Boot device for the server is the disk, and this is set by entering ‘eepromboot-device=disk’.The Boot device for diskless clients is the Ethernet Server, and this is set by entering‘eeprom boot-device=net disk’. In the first instance it will attempt to bootfrom the Ethernet Server and if that fails then it will attempt to boot from the localdisk.

For dataless and standalone clients the boot device is the disk and this is set byentering ‘eeprom boot-device=disk’.

3.4.4.2 x64 / x86 Configuration

The boot device options are configured in the BIOS settings of the machine. To enterthe BIOS, the administrator shall enter setup mode using the appropriate function key(i.e. F2, F9, etc.) as the system begins its startup.

In the BIOS menu, use the arrow keys to select the boot option. The primary bootdevice for a server is a local disk.

The boot device for a diskless client is the Ethernet server, and this is set be selectingthe network device. In this configuration, the machine will attempt to boot from theEthernet server and if that fails, it will then attempt to boot from the local disk.

For dataless and standalone clients, the boot device should be set to the local disk.

Set and confirm all settings as instructed by the BIOS program.

3.4.5 32- and 64-bit Modes

Solaris 10 5/08 Trusted Extensions for Sparc can be run in either 32 or 64 bit mode. Asystem in the evaluated configuration may only be run in 64-bit mode.


3

3.4.6 Device Allocation

The administrator must make the following devices, if available, allocatable(assignable) on the machine they are connected to:

• CD-ROM

• tape-drive

• floppy-drive

Each of the above allocatable devices must have an entry in the file‘/etc/security/device_allocate’, which specifies the device name, thedevice type and the device clean pathname. Also the file‘/etc/security/device_maps’ must have an entry for each of the aboveallocatable devices, which specifies the device name, device type and a list of thedevice special files associated with the device. The administrator shall ensure that thedevice clean script ejects the media and informs the user. If the media has to be ejectedmanually then the device clean script shall display such a message to the screen. See[BSM], Chapter 5, for further information.

3.4.7 Password Policy

When creating users on the system the administrator must construct the passwords tomeet the requirements detailed in the passwd(1) manual page, which in brief says:

• Each password must have at least six, but no more than eight characters. In the file‘/etc/default/passwd’, ‘PASSLENGTH=6’ is set by default and thepassword length must be set to at least this value.

• Each password must contain at least two alphabetic characters and at least one non-alphabetic character (which is enforced by the default product configuration).

• Each password must differ from the user’s login name and any reverse or circularshift of that login name.

• New passwords must differ from the old by at least three characters.

Warning – When using the passwd(1) command, the user whose password is beingmodified must be specified: passwd <target username>. Because Solarisallows for multiple identity changes, this policy is required to ensure that the userissuing the command does not unintentionally change the password of a user.

3.4.8 Disable xhost Command

The ‘xhost’ command shall be made ‘root’ only accessible command by theadministrator changing the access permission on the files, by typing:

chmod 744 /usr/openwin/bin/xhost

chmod 744 /usr/X/bin/xhost

3.4.9 Configuration File for Name Service - nsswitch.conf

The configuration file, /etc/nsswitch.conf, for the name services switch shallcontain the following entries:


3

passwd: files ldap

group: files ldap

hosts: ldap [NOTFOUND=return] files

services: files ldap

networks: ldap [NOTFOUND=return] files

protocols: ldap [NOTFOUND=return] files

rpc: ldap [NOTFOUND=return] files

ethers: ldap [NOTFOUND=return] files

netmasks: ldap [NOTFOUND=return] files

bootparams: ldap [NOTFOUND=return] files

publickey: ldap [NOTFOUND=return] files

netgroup: ldap

automount: files ldap

aliases: files ldap

sendmailvars: files

The /etc/nsswitch.conf file on all machines in the system must contain theabove entries.

3.4.10 Configuration of Files and Tables

The administrator must ensure that the following files and tables have the specifiedpermissions:

• /etc/default/passwd r-- r-- r-- (On all machines in system)

• /etc/passwd rw- r-- r-- (On all machines in system)

• /etc/security/audit_user rw- r-- --- (On all machines in system)

• /etc/shadow r-- --- --- (On all machines in system)

3.4.11 Default User and Group IDs

When the ToE is installed a number of default user accounts and groups are created.These accounts and groups shall only be used by the administrator in order toadminister the ToE. The User Accounts created do not have passwords and only rootuser can su to them. The default accounts and groups are detailed below:

• The following local user accounts are created:

daemonbinsysadmlpsmtpuucpnuucplistennobodynoaccess


3

• The following local groups are created:

roototherbinsysadmuucpmailttylpnuucpstaffdaemonsysadminnobodynoaccess

• No network user accounts or network groups are created.

3.4.12 Solaris Management Console (SMC)

Solaris Management Console 2.1 must be used to administer user accounts.

3.4.13 NFS-Mounted Audit Directories

For NFS mounted directories, you must set the option ‘noac’ in the /etc/vfstabfile in order to obtain the correct behavior when an audit partition fills. If this option isnot set, audit records may be lost when moving to a new partition.

Below is an example of how the ‘noac’ option is set:

<remote_machine>:/audit1 - /var4 nfs - yes noac

3.4.14 Hardware-Specific Configuration Tasks

3.4.14.1 SunFire System Controller Cards

The SunFire servers provides for both direct and remote connection of a systemhardware console via the System Controller (SC) card, which is a hardware componentwithin the interconnect cabinet. To maintain a system in an evaluated configuration, thesystem controller must only be connected directly to a dedicated administrationnetwork (to which only administrators have access) or directly to a console to whichonly administrators have physical access. The password length must be commensuratewith the level of security required, at least 6 characters but 8 is recommended. The SCis capable of much stronger password usage if the administrator should choose to usethat level of protection.

3.4.15 Abstract Machine Tests

The abstract machine tests are used to verify that the low level functions necessary toenforce the object reuse requirements of the Controlled Access Protection Profile on aCommon Criteria security certified system are working properly.


3

If required by your installation, the tests should be run periodically by doing thefollowing:

# su

# /usr/bin/amt

Test results will be listed with a “pass” or “fail” for each test it performs. An exit statusof 0 is returned when all tests pass. Refer to the amt(1) manual page for additionaldetails.

3.4.16 Disable Dtsession Unlock With root Password

Bug IDs: 5023661, 6362294

Dtsession allows a session to be unlocked if the root password is provided at thelockscreen. In order to be able to associate the session to the correct user, this featuremust be disabled. On multi-zone systems, this must be done for each instance. As theroot user, do the following:

# vi /usr/dt/app-defaults/$LANG/Dtsession

Comment out the line:

dtsession*keys: root

so that it looks like:

!dtsession*keys: root

3.4.17 Buffer Overflow in nawk(1)

Bug ID 4706368

There is a possible buffer overflow situation in nawk(1). This may lead to an issuewith data corruption. This command must be disabled:

# chmod a-x /usr/bin/nawk

3.4.18 Buffer Overflow in rcp(1)Command Line Argument

By executing rcp(1) on a local system with excessively long command-linearguments, a user may produce a segmentation fault. An attacker must executercp(1) with 10,000 bytes in each of the fields for the file name, destination hostname and destination file name. As rcp(1) is a setuid root executable, it may bepossible to gain elevated privileges.

The setuid bit must be removed from the rcp binary.

# chmod u-s /usr/bin/rcp

3.4.19 IPv6 Re-Numbering

Bug ID 4503112

The IPv6 re-numbering operation permits an administrator to globally change the IPaddresses of machines on a network. BSM uses the IP address to identify a machine.


3

This capability must be disabled in order to maintain the consistency of the auditrecords. To do this, as root user edit the file: /etc/rc2.d/S69inet. Search forthe following lines:

if [ -f /usr/lib/inet/in.ndpd ]; then

/usr/lib/inet/in.ndpd

fi

There are two occurrences of these lines. Add the -a option to disable theautoconfiguration of addresses and re-numbering:

if [ -f /usr/lib/inet/in.ndpd ]; then

/usr/lib/inet/in.ndpd -a

fi

Restart the daemon by:

# /etc/rc2.d/S69inet stop

# /etc/rc2.d/S69inet start

3.4.20 Simultaneous Multi-Threading Processors May Leak Information

Bug ID 6278935

On platforms supporting simultaneous multi-threading (Hyper-Threading technology)local unprivileged users might be able to deduce potentially secret data from anotherexecuting thread, using cache eviction analysis techniques.

Listed below are the suggested workarounds:

1. Disabling Hyper-Threading in the BIOS

Many BIOS implementations provide a way to disable the Hyper-Threading feature.With the feature disabled, threads will not be able to simultaneously execute on agiven physical processor, thus closing the vulnerability.

Note: Overall system performance will likely be impacted.

2. Dynamic CPU Off-lining

Solaris provides a mechanism allowing CPUs to be taken off-line without rebooting.Off-lined CPUs will not participate in the scheduling of software threads. CPUsmay be taken off-line with the psradm(1M) command[1].

Setting all but one of a physical processor’s CPUs off-line prevents multiple threadsfrom executing simultaneously on the same physical processor. Without the abilityto simultaneously execute, two threads will not be able to use the L1 cache as acommunication channel, thus closing the vulnerability.

Note: Overall system performance will likely be impacted, and these settings willnot persist across reboot.

Example: Off-lining all but one of each physical processor’s logical CPUs:

# psrinfo -vp

The physical processor has 2 virtual processors (0, 4)


3

x86 (chipid 0x0 GenuineIntel family 15 model 2 step 6 clock 3000MHz)

Intel(r) Xeon(tm) MP CPU 3.00GHz










# psrinfo

0 on-line since 04/20/2005 17:13:16

1 on-line since 04/20/2005 17:13:21

2 on-line since 04/20/2005 17:13:23

3 on-line since 04/20/2005 17:13:25

4 on-line since 04/20/2005 17:13:27

5 on-line since 04/20/2005 17:13:29

6 on-line since 04/20/2005 17:13:31

7 on-line since 04/20/2005 17:13:33

# psradm -f 4 5 6 7

# psrinfo

0 on-line since 04/20/2005 17:13:16

1 on-line since 04/20/2005 17:13:21

2 on-line since 04/20/2005 17:13:23

3 on-line since 04/20/2005 17:13:25

4 off-line since 05/18/2005 11:05:07

5 off-line since 05/18/2005 11:05:07

6 off-line since 05/18/2005 11:05:07

7 off-line since 05/18/2005 11:05:07

3. Solaris Containers

Properly configured, the Containers feature in Solaris 10 can be used to close thisvulnerability with no adverse performance impact. Containers in Solaris consist ofResource Pools and Zones.

Resource Pools[2] allow administrators to create pools of CPU resources. Threads"bound" to a given pool may not execute on CPUs belonging to a different pool.Administrators can use resource pools (each consisting of CPUs derived from the


3

same physical processor(s)) to isolate threads from one another. Threads bound todifferent pools won’t be able to use cache interference to covertly communicate/spyon each other since those threads could never run on the same physical processor.

The Zones feature[3] allows for the creation of multiple virtual Solarisenvironments. Administrators can configure zones to contain users and applications.Each zone can then be bound to a CPU resource pool configured as above. Usersand applications in a given zone will only be able to execute on CPUs contained inthat zone’s pool, thus preventing communication/spying across zones. It should benoted that using Resource Pools alone is enough to close the vulnerability.However, using Zones in addition to Resource Pools provides additional isolationsince applications/users inside a given zone cannot see other applications/usersoutside the zone virtual environment.

For more information about using Zones with Resource Pools, please see the"Solaris Containers Resource Management and Solaris Zones" answerbook[4].

For additional information, refer to the following resources:

• [1] Solaris System Administration Commands Answerbook, Man pages section 1M- psradm(1M); http://docs.sun.com

• [2] Solaris System Administration Guide, Resource Management and NetworkServices, Resource Pools; http://docs.sun.com

• [3] BigAdmin System Administration Portal - Solaris Zones;http://www.sun.com/bigadmin/content/zones

• [4] Solaris System Administration Guide, Solaris Containers Resource Managementand Solaris Zones; http://docs.sun.com

3.5 Secure Startup

3.5.1 Secure Start-up - SPARC Workstations

When the SPARC workstation is switched on the firmware on the hardware isimmediately executed. The PROM password is prompted and on specifying the correctpassword the boot process continues. If the PROM password is incorrect there is delayof about 10 seconds before the Restricted Monitor Mode prompt appears. There areonly three available options at this prompt; ‘b’ to boot, ‘c’ to continue and ‘n’ for newcommand. On specifying the ‘b’ or the ‘n’ option the PROM password is promptedand the ‘c’ option remains in the Restricted Monitor mode.

After specifying the correct PROM password and immediately pressing STOP-A keysequence from the keyboard, gets the system into Restricted Monitor Mode. TheRestricted Monitor Mode prompt is ‘>‘ and in this mode the following screen isdisplayed:

Type b (boot), c (continue), or n (new command mode)

>


3

On pressing ‘b’ it prompts for the PROM password. On pressing ‘c’ it resumes(continues) the booting process. On pressing ‘n’ it first prompts for the PROMpassword. On specifying the correct PROM password it enters the Forth Monitor Modeand the prompt for this mode is ‘ok’. On entering this mode the following screen isdisplayed:

Type help for more information

ok

In this mode the system administrator can use functions detailed in [OPENBOOT].

An uninterrupted boot process gets into the normal multi-user mode.

3.5.2 Secure Start-up - SPARC Servers

The applicable guidelines for the use of the system controllers must be followed asdefined in the following manuals:

“Securing the SunFire Midframe System Controller, Part No. 816-4940-10

“System Controller Command Reference Manual”, Part No. 805-7372-13

3.5.3 Secure Start-up - x64 / x86 Platforms

When an x64 / x86 workstation is switched on the firmware on the hardware isimmediately executed. The BIOS password is prompted and on specifying the correctpassword the boot process continues.The BIOS password must be entered correctlybefore the system will boot.

3.5.4 Operational Modes

The two types of mode of operation for Solaris 10 5/08 Trusted Extensions are multi-user mode and single user-mode.

3.5.4.1 Multi-user Mode

This is the normal operating mode of the ToE. The transition into this mode is from:

• An uninterrupted boot process from power on.

• Single-user mode by entering ‘/etc/telinit 3’.

The transitions from this mode are:

• For SPARC system, pressing STOP-A key sequence from the keyboard to transitionto Restricted Monitor Mode.

• Single-user mode by entering ‘/etc/telinit 1’.

• Shutdown of the machine by entering ‘shutdown -i5’.

3.5.4.2 Single-user Mode

This is the operating mode for the maintenance of the ToE by the administrator. Thetransition into this mode is from:


3

• Multi-user mode by first shutting down the system and then entering‘/etc/telinit 1’.

• Forth Monitor Mode by entering ‘boot -s’ at the ‘ok’ prompt.

The transitions from this mode are:

• For SPARC system, pressing STOP-A key sequence from the keyboard to transitionto Restricted Monitor Mode.

• Multi-user mode by entering ‘/etc/telinit 3’.

• Shutdown of the machine by entering ‘shutdown -i5’.

Further details on the command /etc/telinit and shutdown can be found in[ADMCOMS] under init(1M) and shutdown(1M) respectively.

3.5.5 Security

There is no possible deactivation or modification of the Security Enforcing Functionsduring Secure Start-up of the ToE.

3.5.6 Administrative Components

The components (functions) that are relevant to the administrator are those that havebeen identified and mentioned in this document. The security parameters that are underthe administrators control are the parameters that are identified in the manual pages ofthose components. The only component relevant to the administrator that obtainsinformation is the auditreduce command. All the other components are classified ascontrolling components and some of them can also be used to obtain information aswell.

3.5.7 auditd Is Started After logind

Bug ID: 6232332

The audit daemon (auditd) is started after the login daemon (logind). This allowsfor the possiblity of a user login event which is not captured by the audit subsystem. Inorder to mediate this vulnerability, when systems are being rebooted all logins exceptfor root must be disabled until the system administrator has logged in and verifiedthat auditd is running. Use the following procedure:

1. Create a file called /etc/passwd.boot file with only the default and rootusers.

root:x:0:1:Super-User:/:/sbin/sh

daemon:x:1:1::/:

bin:x:2:2::/usr/bin:

sys:x:3:3::/:

adm:x:4:4:Admin:/var/adm:

lp:x:71:8:Line Printer Admin:/usr/spool/lp:

uucp:x:5:5:uucp Admin:/usr/lib/uucp:

nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico

listen:x:37:4:Network Admin:/usr/net/nls:


3

nobody:x:60001:60001:Nobody:/:

noaccess:x:60002:60002:No Access User:/:

nobody4:x:65534:65534:SunOS 4.x Nobody:/:

2. When a system needs to be rebooted, it must be brought down and booted single-user mode.

# halt

ok boot -s

3. Substitute the existing /etc/passwd file for the /etc/passwd.boot version.

# mv /etc/passwd /etc/passwd.sav

# cp /etc/passwd.boot /etc/passwd

4. Tell the name service to look only in the local /etc/passwd file.

# cp /etc/nsswitch.conf /etc/nsswitch.conf.sav

# cp /etc/nsswitch.files /etc/nsswitch.conf

5. Bring the system back up into multi-user mode.

# <cntl-d>

6. Login as the root user.

7. Verify that the audit daemon is running.

# ps -ef | grep auditd

8. Restore the password and name services files.

# mv /etc/passwd.sav /etc/passwd

# mv /etc/nsswitch.conf.sav /etc/nsswitch.conf

9. Restart the nscd daemon.

# /etc/init.d/nscd stop

# /etc/init.d/nscd start

3.6 Secure Operation

Where the word ‘system’ is used this refers to a complete installation of the ToE, i.e.all machines in all domains and sub-domains.

3.6.1 Setting Up An LDAP Server

Once the ToE is installed following the guidelines provided in Chapter 3.2,“Administrator Security Notes”, one LDAP naming server instance and one or moreLDAP client(s) must be created.

For more information on this process, refer to the Solaris 10 System AdministrationGuide: Naming and Directory Services (DNS, NIS and LDAP). In particular, see PartV: LDAP Naming Services Setup and Administration.


3

3.6.2 The root Account

A password policy, see Section 3.4.7, “Password Policy”, exists on the system whichapplies to all users with the exception of the administrator. The administrator mustensure that the root password also conforms to this policy by choosing passwordsthat conform to the policy, and by changing the root password conforming to thispolicy.

The administrator can also change any other users password using the passwd(1)command. When changing user’s passwords the administrator must ensure that the newpassword is chosen at random. When choosing a users password use the guidancegiven in Chapter 2, “User Security Notes”.

3.6.3 Users and Groups

3.6.3.1 Creating Local Groups

Local groups can be created using the SMC Group Manager. All local groups createdon all machines must have a different gid. Furthermore the administrator must ensurethat all groups whether local or network defined on the system have a unique name andgid. This must be manually checked by the administrator. Local groups can containboth local and network users.

3.6.3.2 Deleting Local Groups

Local groups can be deleted by using the SMC Group Manager. When a local group isdeleted from the system the administrator must ensure that all objects with this gid arealso deleted from the system, or alternatively reassigned to another group. Also theadministrator must ensure that all users who have the deleted group as their primarygroup are reassigned another primary group.

3.6.3.3 Creating Local Users

Local users should be created using the SMC User Manager. The administrator shallselect a unique user name and user id when creating a new local user. Before creatingthe new user the administrator must check the user name and user id’s of all the userson the network by entering the command logins, see [ADMCOMS] under login(1M),on all the machines on the network.

Once a user has been created, a password must be provided for to enable the user tolog on. This is achieved via the passwd(1) command. Once created the user must begiven his password securely and told to log in straight away and change his password.

Warning – Administrators should be aware that Expiration Date of user accounts doesnot cause accounts to be locked. No reliance should be placed upon this feature whenconfiguring user accounts.

3.6.3.4 Suspending Local Users

See [USERCOMS] under passwd(1) for details on how to suspend a local user, i.e.this means locking a password entry.


3

When using passwd(1) to force a user to change his/her password upon the nextlogin, administrators must use the -n and -x options with the -f option. For laterchanges, just the -f option would be sufficient.

Warning – Administrators should be aware that Expiration Date of user accounts doesnot cause accounts to be locked. Administrators should not use this feature to disableaccounts.

3.6.3.5 Deleting Local Users

Local users can be deleted using the SMC User Manager. When a local user is deletedfrom the system the administrator must ensure that the users home directory and anyobjects owned by that user are also deleted. As an alternative to deleting objects ownedby the user, the administrator may wish to change the ownership of these objects toanother user who is defined on the system. The administrator must also ensure that allbatch jobs still to run associated with the deleted user are also deleted. Theadministrator must ensure that there are no objects or processes belonging to a deleteduser that remain on the system.

3.6.3.6 Creating a Network User

In order to create a Network User the following steps must be followed:

• The administrator shall select a unique user name and user id when creating a newnetwork user. Before creating the new network user the administrator must checkthe user name and user id’s of all the users on the network by entering the commandlogins, see [ADMCOMS] under logins(1M), on all the machines on thenetwork.

• Decide which domain to make the network user part of

• Logon to the master server for that domain

Use the command line Administration User Management commands to add a userentry.

• Once an entry has been created, give the network user a password using thepasswd(1) command. Once created the user must be given his password securelyand told to log in straight away and change his password.

Warning – Administrators should be aware that Expiration Date of user accounts doesnot cause accounts to be locked. No reliance should be placed upon this feature whenconfiguring user accounts.

3.6.3.7 Suspending a Network User

See [USERCOMS] under passwd(1) for details on how to suspend a network user.

Warning – Administrators should be aware that Expiration Date of user accounts doesnot cause accounts to be locked. Administrators should not use this feature to disableaccounts.


3

3.6.3.8 Deleting Network Users

Network users may be deleted using the SMC User Manager.

When a network user is deleted from the system the administrator must ensure that theusers home directory and any objects owned by that network user are also deleted. Asan alternative to deleting objects owned by the network user, the administrator maywish to change the ownership of these objects to another user who is defined on thesystem. The administrator must also ensure that all batch jobs still to run associatedwith the deleted network user are also deleted.

The administrator must ensure that there are no objects or processes belonging to adeleted user that remain on the system.

3.6.3.9 Further Information on Local and Network Users

• The initial password chosen by the administrator for the user must conform to thepassword policy detailed in Section 3.4.7, “Password Policy”. The initial passwordfor a user must also be chosen at random, so that the next initial password cannot beguessed.

• Once a user has been created and a password provided, the user must be informedimmediately to log on and change their password. It is necessary to inform the userof their username and initial password in a secure manner.

• When creating users the administrator must ensure that all usernames and all UIDsof these new users are unique on the system. This also includes uniqueness betweenlocal and network users, and between local users on different machines.

• Only the methods detailed above shall be used to Create, Suspend and Delete users.The administrator must not attempt to modify the password file and table in anyother way.

• Chapters 1 and 2 of [UPMA] provide further details on User Accounts. These are tobe used as guidance, but the creation and deletion of users must be by the methodsspecified above.

• Upon successful login, the real and audit user ids are set to the uid specified by theauthentication data. The real group id is set to the gid from the authentication data.The uid and gids for each user should be assigned and maintained by theadministrator using User Manager and Group Manager. These applications shouldbe used in accordance with the measures outlined in this document to ensure secureoperation.

3.6.4 Sharing Filesystems

It is possible to make filesystems read-only or read-write. If a filesystem is mountedread-only then write access will not be granted to any files within that filesystemregardless of the OGO permissions on those files. This restriction also applies to theroot user. When sharing NFS file systems the default unix authentication mechanismshall be used.

See [FSA], and [ADMCOMS] under share(1M), shareall(1M) andshare_nfs(1M)


3

3.6.5 Discretionary Access Control

There are a number of administration issues concerned with DAC, that theadministrator must be aware of:

• DAC only applies to objects that are subject to the administration of rights.

• The administrator should ensure that the following file permissions are alwaysmaintained so that authentication data is protected by DAC, and so that only ownersmay read encrypted passwords (i.e. via the trusted programs, login, su, ftp,telnet and rlogin):

In addition, authentication information such as passwords, must not be stored onremovable media.

• The operating system has a configuration option{_POSIX_CHOWN_RESTRICTED}, to restrict ownership changes. When thisoption is in effect the owner of the file is prevented from changing the owner ID ofthe file. Only the super-user can arbitrarily change owner IDs whether or not thisoption is in effect. By default this option is in effect, however to turn it off add theline set rstchown=0 to the file /etc/system. To turn it on again, replace the0 with 1. Any changes require a reboot.

Note – When using the getconf command to determine the setting of{_POSIX_CHOWN_RESTRICTED}, the value of “0” is displayed as “undefined”.The value “1” is displayed as “1”.

• The command ‘ls -l <object name> can be used in order to checkpermissions on objects, to ensure that they are correctly protected. Theadministrator can also examine the audit trail to check whether there are anyunauthorised access attempts to these objects. See [BSM].

3.6.6 Accounting and Audit

Details of the Accounting and Audit system can be found in [BSM]. The BSMprovides instructions on how to set the system up to record the required events for therequired users. The document also provides details on how to examine the audit trailsafter the events have been recorded. See also [ADMCOMS] under audit(1M),audit_startup(1M), auditconfig(1M), auditd(1M),auditreduce(1M), and praudit(1M).

Each machine audits it own events locally, and the auditing system of each machine ismanaged by the local root user of that machine. This is true whether the machine isan LDAP server or a client.

File Permissions

local passwd (each client) rw-r--r--

local shadow (each client) r--------

local group (each client) rw-r--r--


3

The auditing system can be started in one of two ways. If the file/etc/security/audit_startup exists then auditing starts every time thesystem is rebooted. See [BSM] for details of this file. Alternatively the commands‘auditd’ and ‘audit -t’ can be used by the administrator in order to start and stopauditing. See [ADMCOMS] under auditd(1M) and audit(1M) for details of thesecommands.

If auditing is required on the system, the administrator must ensure that auditing isstarted on reboot (i.e. the administrator must create an audit_startup file). Thisis also important for maintaining a secure and consistent audit configuration(especially with regard to the AUDIT_CNT flag - see below) as the audit_startupfile provides a means of setting the audit policies every time the audit daemon isstarted.

The command ‘audit -t’ which stops recording on the system must be used withcare. This command will mean that any auditable user actions will not be recordeduntil the administrator starts the accounting system again, or until the system isrebooted (if an audit_startup file exists).

The command ‘ps -ef | grep audit’ can be used to ascertain whether theauditd process is running or not. See [USERCOMS] under ps(1) for details of thiscommand.

The audit trail files are stored in a directory which is specified in the file/etc/security/audit_control. See [ADMCOMS] for details of this file. Thefiles in this directory are protected in such a way that only the administrator has accessto them. The permissions on files within this directory must not be changed by theadministrator. The administrator must also ensure that any files created by virtue ofusing the auditreduce(1M) command are also properly protected, so that normalusers do not have access to them.

If the audit trail is to be stored on a partition which is NFS mounted, the ‘noac’option must be used to ensure audit records are not lost no exhaustion of the availablespace.

Warning – To operate the system in a certified configuration, audit trails stored onNFS mounted partitions must use the a partition mounted with the noac flag, eitherexplicitly or in the /etc/vfstab file. An entry in the /etc/vfstab file will looksimilar to:

<remote_machine>:/var/audit - /var/audit2 nfs - yes noac

This line ensures that local caching is turned off, a write error will result on a fullpartition and audit records will not be lost.

The audit trail must not be stored on media which is physically removable from amachine by unauthorised users.

Whenever the audit daemon encounters an unusual condition while writing auditrecords, it invokes the /etc/security/audit_warn script. This script is used towarn the administrator if the audit directory is becoming full. ([BSM] and the


3

audit_warn(1M) manual page provide further details.) The administrator mustensure that audit_warn is adequately set up for the particular installation of theToE.

The command ‘df -k’ can be used in order to check on available space on the disk.See [USERCOMS] under df(1) for details of this command.

The ToE must be set up so that if the audit trail files fill up, then all auditable processesare suspended until some storage space is freed. audit_warn notifies theadministrator when this happens, and the administrator must either archive the audittrails, or provide further storage space. See [BSM] for further details.

Warning – To operate the system in a certified configuration, there must exist anaudit_startup file containing the following lines:

auditconfig -setpolicy -cnt

This line ensures that the AUDIT_CNT flag is not set, thus preventing loss of audit dataupon kernel audit buffer overflow. In addition, administrators must ensure that this filenever contains a line saying ‘auditconfig -setpolicy +cnt’, which mayoverride the required policy.Administrators should be aware that the system sets the AUDIT_CNT flag by default,and they should therefore set up the audit_startup file immediately afterinstallation, then reboot. The line should also never be removed to ensure that therequired policy is restored following subsequent system reboots.

The administrator needs to ensure that the audit trail captures and is examined for theauditing of user account management commands.

Warning – If CLI commands are used to administer accounts, to ensure the creation,deletion and modification of user accounts is audited, the following line must be addedto the audit_startup file.

auditconfig -setpolicy +argv

This line ensures that the ex flag captures the full path of the useradd, userdel,usermod, groupadd, groupdel and groupmod commands when executedso that their use is audited thus preventing loss of audit data.

System procedures must exist which deal with the analysing and archiving of auditdata. These procedures must be adequate so that in normal operation the audit trail filesdo not completely fill up.

The administrator must regularly examine the audit trail for attempts to breach thesecurity of the system. If repeated attempts at breaching the security of the system aredetected appropriate action must be taken.

There must be procedures in place for each system which define what events are to beaudited. The administrator must follow these procedures when setting up the/etc/security/audit_control file.


3

If it is required to audit events which constitute [CC] functionality, then the followingflags must be set in the /etc/security/audit_control file. See [BSM] fordetails of how to set these flags.

flags:fr,fw,fm,fc,fd,ad,lo,ex

naflags:lo

The file /etc/security/audit_control can be viewed by the administrator atany time to check what events the system is set up to record.

Warning – The administrator should be aware that administration of user accountsusing the useradd(1M, usermod(1M)) and userdel(1M) commands will notgenerate any user-level audit events directly. The administrator must adopt a policy ofsearching for the exec record with the full path of these commands. This can be doneby auditing the actions of these commands by setting the ‘ex’ flag and examining theaudit trail for AUE_EXEC and AUE_EXECVE kernel-level events. The ‘ex‘ flag willrecord every executed command along with any specified attributes.

3.6.7 Devices

It is possible for all users of the system to allocate themselves exclusive use of thedevices attached to the machine at which they are logged in. By using the -F flag theadministrator can reassign the device to another user, or alternatively the administratorcan use the deallocate command to deallocate the device. See [ADMCOMS] underallocate(1M) and deallocate(1M) for further details.

The user is permitted access to bootable removable media drives. The user must beinstructed to remove his media when he has finished using it. It may be necessary forthe administrator to load media into drives for a user, in which case the user mustinform the administrator immediately he has finished using it so that it is removed.This prevents its use by other, potentially unauthorized users. The secure use by usersof assignable devices is covered in [USER].

3.6.8 Trusted Clients

All clients to the server must be identified and authenticated by the server.

The file /etc/hosts or the hosts table contain details of the trusted clients. Afterinstallation only the administrator can change data in these files/tables. Theadministrator must not change the permissions on these files/tables that would enablenormal users to change them. The command ‘ls -l /etc/hosts’ can be used toascertain the permissions on the file.

Details of the /etc/hosts file can be found in [FILEFORM] under hosts(4).

The file /etc/nsswitch.conf allows the administrator to specify whether the file/etc/hosts will be searched before the corresponding LDAP directory or vice-versa. Details of this file can be found in [FILEFORM] under nsswitch.conf.


3

3.6.9 Unauthorised Software

Only the administrator shall be allowed to introduce new software onto the system.This include compilers and similar tools. The java compiler, which is installed bydefault, should be modified by changing the permissions on/usr/java1.2/bin/.javawrapper to allow access to only authorised users.

The remaining measures are provided by physical methods which need to provided ateach installation of the ToE. The Physical Methods to protect the system, which needto be defined for each individual installation are:

• Access to the system as a whole shall be protected

• Removable media shall be protected

• Backup media shall be protected

• Any network machines, servers, and peripheral cabling shall be protected fromunauthorised access

3.6.10 Checking the Configuration

The pkgchk command shall be used any time the system administrator suspects theintegrity of the system may have been compromised, see [ADMCOMS] underpkgchk(1M) for further details.

Additionally, the Abstract Machine Tests should be executed periodically to ensure thatdomain separation is being enforced.

3.6.11 Mail

The administrator must not use the Mail System of the product to send messages of anInstructional nature to other users on the system. There is a possibility that anotheruser of the system can spoof a message, and make it appear that it came from root.See [USER] for more details on this.

If a user of the system receives mail purporting to be from the administrator, the useris instructed to confirm with the administrator to ensure that the mail is genuine. Ifconfirmation is sought by a user, and no mail was sent by the administrator then theadministrator must endeavor to detect the source of the mail and take appropriateaction. The type of appropriate action will depend on the specific installation of thesystem.

3.6.12 Secure Operating Procedures

If the Secure Operating procedures are followed, then there is no possible deactivationor modification of security enforcing functions during secure operation.

3.6.13 Administration Documentation

It is recommended that administrators refer to the set of book-form documentation forSolaris 10 5/08 and Solaris 10 5/08 Trusted Extensions when operating the ToE.


3

3.6.14 login -f Option

The login command has an undocumented option “-f”. The use of this option,especially when combined with the -r option can cause unexpected effects. There areno known security implications when using this undocumented feature, but it isadvised that this feature not be used by administrators.

3.6.15 Entry Into Debugger Mode

In Solaris 10 5/08 Trusted Extensions, audit records are generated when a user entersand exits debugger mode. However, this feature only works if the STOP-A is donefrom a console. Entry into debugger mode via a tip line is not audited and thereforethis feature must be disabled. To do so, edit the file /etc/system. At the end of thefile, add the line:

set abort_enable = 0

3.6.16 Truncated Password

Users can change to passwords such as “abcdefghijk12” and then log in with just“abcdefgh”. Only the first eight characters of the typed password are significant,whether you are setting it or authenticating. Anything longer is truncated after theeighth character.

When you try to set the password to “abcdefgh”, the passwd command complains:

passwd: The first 6 characters of the password mustcontain at least two alphabetic characters and at leastone numeric or special character.

This was expected. However, when you set the password to “abcdefgh123”, it does notcomplain and the effective password is set to “abcdefgh”. Conversely, using numerals,you can set your password to “12345678” by typing “12345678&abc” as the newpassword, but not by typing “12345678”.

In order to maintain the Strength of Function claim, the site must require that usersinput a password of no more than eight characters and that at least one character mustbe a numeric or special character. See Section 3.5.8 Password Policy of this documentfor a complete list of password policy rules.

3.6.17 /bin/login is setuid

The program /bin/login is setuid root largely for historical reasons. It isexecuted by a number of programs that run as root anyway. These programs are themost common users of login:

• ttymon

• telnetd

• rlogind

/bin/login is not required to be setuid. Only when executed from the shell,which will directly exec /bin/login, does login need to be setuid. However,that ‘feature’ is unnecessary in current operating environments.


3

/bin/login can be used to remove the hostname from your utmp entry. Toeliminate this potential vulnerability, disable the use of /bin/login

# chmod u-s /bin/login

3.6.18 mail(1), mailx(1) is setgid

The following files have their setgid bits set to mail:

/usr/bin/mail/usr/bin/mailx/usr/dt/bin/dtmail/usr/dt/bin/dtmailpr/usr/openwin/bin/mailtool

In order to remove this vulnerability, the administrator shall:

• remove the setgid mail from all of the above listed programs

# chmod g-s <program_name>

• make sure that all files in /var/mail are created with mode 600 and not 660.

3.6.19 /usr/ucb/ps -e

The command /usr/ucb/sparcv9/ps displays environment variables for allprocesses (including processes for other users) when the -e option is used. Only rootshould be able to see environment variables for all processes; non-root users shouldonly see the environment variables of its own processes.

# chmod u-s /usr/ucb/sparcv9/ps

3.6.20 /usr/bin/eject

/usr/bin/eject is setuid root and can be used to find files which are notowned by the user who runs the /usr/bin/eject command. /usr/bin/ejectwill report a “/path/file: Permission denied” error if the file exists. It willreport a “/path/file: No such file or directory” if a file does notexist.

This command should be disabled in the evaluated configuration by doing thefollowing:

# chmod u-s /usr/bin/eject

3.6.21 dtterm(1) Window Title

The window title reporting feature of dtterm(1) may be used to execute arbitrarycommands on the system running the terminal emulator. The terminal softwaresupports escape sequences which can change the title of a terminal window and thenreport the title back to the command line. In this manner, an attacker can injectmalicious escape equences which include arbitrary commands in the terminal window


3

title and then cause the commands to be displayed on the command line. Note thatexploitation of this vulnerability will still require the user to press ‘Enter’ once themalicious commands are dumped from the window title to the command line.

All users should be wary of any suspicious activity that occus while using the terminalemulator. This may include changes in the terminal window title, suspicious commandline input or any server responses that seem unusual. All of these behaviors mayindicate attempts to exploit this issue.

3.6.22 libXpm

Multiple vulnerabilities have been reported in libXpm which potentially can beexploited by malicious users.

• When a specially crafted XPM file is processed, a boundary error within thexpmParseColors() function can be exploited to cause a stack based bufferoverflow. Sucessful exploitation may potentially allow execution of arbitrarycode.

• Again when a specially crafted XPM file is processed, various input validationerrors can be exploited to cause integer overflows. Successful exploitation causesan affected application to crash and may potentially allow arbitrary codeexecution.

Users must be advised to not load X PixMap (.xmp) images from untrusted sources.

3.6.23 RBAC exec_attr(4) Search in LDAP

The RBAC backend for LDAP composes its search for a wildcard rule using anunfiltered ‘*’. This results in a pattern that matches any command in the named profilerather than matching just a ‘*’ command.

This issues must be handled via administrative policy. Administrators are advised tolimit user access to LDAP commands for unprivileged users.

3.6.24 format(1M) Shell Escape in RBAC

Using RBAC, and administrator can define rights profiles that allow non-root usersaccess to certain root commands. This may be done without giving the user generalroot access. If someone defines a profile with format(1), the user could useformat(1)’s shell escape to gain general root access.

The file /etc/security/exec_attr gives the “File System Management”profile the right to execute /usr/sbin/format with user ID = 0. It should use“euid=0”. To eliminate this vulnerability, edit /etc/security/exec_attr, findthe entry for /usr/sbin/format and change “uid=0” to “euid=0”.

3.6.25 Audit Records Longer Than 65K May be Lost

Bug ID 6245760


3

If the audit policy is set to +argv and +arge and the audit preselection flag ex isenabled, there are cases where the resulting exec audit record exceeds 65 Kbytes inlength. This issue can be avoided by selecting only one of the above listed auditpolicies (either argv or arge).

3.6.26 Warning Regarding TRACE Option in SMC

As the TRACE method cannot be turned off, administrators must be aware that there isa vulnerability when running SMC. The vulnerability may allow information gatheringand give a local or remote unprivileged user the ability to access sensitive information,such as cookies or authentication data, contained in the HTTP headers of an HTTPTRACE request.

3.6.27 GIMP Online

Bug ID 6575934

The gimp(1) online links fail to open in the webbrowser. /usr/sfw/bin must beadded to users’ PATH environment variable and users are cautioned againstdownloading images from untrusted sources.

3.6.28 /usr/bin/cancel

Bug ID 6666799

The command /usr/bin/cancel does not execute the action when invoked withno arguments. Always use the /usr/bin/cancel command with arguments.

3.6.29 snoop(1M)

Bug ID 6473778

The use of snoop(1M) causes a panic on a SunFire T2000 machine. This commandshould not be used.

3.6.30 Assuming Roles

Bug ID 6432114

Attempts to login via GDM will result in an error: “The system administrator hasdisabled access to the system temporarily.” The workaround for this defect is to do thefollowing in the file /etc/pam.conf:

1. Comment out the line:

other account required pam_tsol_account.so.1

2. Add the lines:

gdm accountrequisite pam_roles.so.1

gdm accountrequired pam_unix_account.so.1


Solaris105/08TrustedExtensions … 24, 2009 · Solaris105/08TrustedExtensions SecurityReleaseNotes...

Documents

Transcript of Solaris105/08TrustedExtensions … 24, 2009 · Solaris105/08TrustedExtensions SecurityReleaseNotes...